May 6, 2013

Multifactor Authentication: What It Is and Why It Matters

There’s a lot of buzz right now around multifactor authentication, and the need for more services like Twitter to support it, so we figured our users could benefit from a clarification of what it is, how it works with LastPass, and why it matters.

What Is Multifactor Authentication?


Multifactor authentication simply refers to the requirement of a second piece of information before allowing access to an account. By adding another authentication step, you are requiring that the user enter two forms of data - typically the first being something the user knows, like a username and password, and the second being something the user has physical access to, like an app on a mobile phone that generates one-time codes or a device that plugs into the computer to scan a fingerprint. After enabling multifactor authentication, the user is required to enter both pieces of data (username/password + generated piece of data) each time they login to the account or service.

Why It Matters


Good security is about being proactive and mitigating risk. Multifactor authentication increases security by adding another barrier to entry, decreasing the likelihood that a “pretender” can break in. It makes it harder for someone who has stolen the password to gain entry to the account. Unfortunately, many websites don’t implement this second form of authentication, which is why implementing it with your LastPass account is critical - and arguably more effective.

If you enable multifactor authentication with LastPass, you have significantly increased the security of your LastPass account itself, which is the hub of your online life. If someone compromises your master password, they can't gain access to your account without the second form of authentication. Since LastPass gives you the tools to generate secure, non-guessable passwords for all your accounts, if you then launch all of your sites from LastPass, you are eliminating risks of phishing attacks and other threats because you are going directly to your sites and logging in with LastPass. By enabling a mutifactor authentication device, you are by effect enabling it for each of the sites in your vault as well. For Enterprise, if your Identity Provider utilizes multifactor authentication, as LastPass does, you also get the full benefit of multifactor authentication without passwords at all sites that you've implemented it on.

How It Works With LastPass

Once you enable multifactor authentication with LastPass, you'll be required to first enter your email address and master password, then the multifactor authentication data. LastPass offers support for several multifactor authentication methods:
  • Google Authenticator (Free): Utilizes a Google app, available for Android, iOS, and BlackBerry, which will generate a code every 60 seconds that you will enter when prompted.
  • Grid (Free): A unique, generated spreadsheet of random values that resemble a Battleship grid, each section containing a different letter or number. Once enabled, you'll be prompted to find and enter four values from the spreadsheet.
  • Sesame (Premium): Generates unique One Time Passwords (OTPs) each time you login. The feature can be run from a USB thumb drive, and you have the choice to copy the OTP to the clipboard or launch the browser and pass the value automatically.
  • YubiKey (Premium): A key-sized device that you can plug into your computer's USB slot, and generates a unique, One Time Password each time it's pressed. YubiKeys are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors. The key can be purchased from Yubico and bundled at a discounted rate with LastPass Premium. No batteries, waterproof, and crush safe.
  • Fingerprint Reader (Premium): LastPass has support for a small selection of fingerprint readers, including Windows Biometric Framework, UPEK, and Validity.
  • SmartCard Reader (Premium): LastPass has experimental support for SmartCard readers. See our help article for more details and limitations.
With all multifactor security options, you have the ability to mark the computer as "trusted", leaving multifactor enabled but not requiring it on that particular "safe" location.

Get Proactive


Passwords are not going anywhere soon, and because sites have implemented different security standards and requirements, we strongly recommend enabling a form of multifactor authentication with LastPass. This will help you better protect and mitigate risks for your LastPass account, and your online life as a whole.

The LastPass Team

29 comments:

  1. Can you explain how multi-factor auth actually makes my account more secure? My understanding is that once enabled my LastPass blob is not re-encrypted with any secrets from the yubikey (which is why I can continue to use LastPass mobile without a yubikey).

    This means that with the type of attack LastPass thinks they suffered last year where encrypted blobs were stolen accounts with Yubikey enabled were in no way safer than single factor accounts.

    I understand that the Yubikey helps protect against attacks from naive attackers simply trying to hack into lastpass.com using my account and a replayed master password. But against a real attack with an intelligent hacker that is brute forcing my blob isn't the multifactor auth just theater?

    ReplyDelete
    Replies
    1. Multi-factor authentication protects your account at the login level, not when your password blob is stolen. It prevents a thief from brute forcing your log in because they can't log in without the YubiKey, even if they know your ID and password.

      As for a thief stealing your blog, I can't see them brute forcing that. They would first need to brute force your ID (unless they know it) and your password first to somehow decrypt the blog.

      Delete
    2. Just to add to Paul's response...

      The use of a Yubikey offers one additional safeguard -- we doubly encrypt your local cache with the static otp portion of the yubikey (in addition to your standard encryption key). This is further protection against offline attacks.

      Delete
  2. Now that Microsoft has introduced Multifactor authentication and has an App for password generation on its Windows Phone 8 store can Laatpass consider adding the option of using there facility too soon.

    ReplyDelete
    Replies
    1. Yes, LastPass already supports this on our Windows 8 devices.

      Delete
  3. Awesome,hope all people know about this and all the sites to start supporting this feature and help people know on how to make their online accounts safer.

    ReplyDelete
  4. I am a bit worried about what would happen if my 2nd factor authentication device such as a YubiKey or phone in the case of Google Authenticator for example would die or get stolen or whatever that I wouldn't have access to it anymore. Would I then basically be locked out of all my usernames/passwords? Can you please explain what happens in a situation like that? I'd like to use 2nd factor authentication on a lot of things like my gmail account and stuff (currently I only use it for my Blizzard account) but I am scared of the idea of losing the 2nd factor device and getting permanently locked out of all my stuff.

    ReplyDelete
    Replies
    1. There is a process for "disabling" the multifactor, when you next login if you didn't have your device you'd click the "disable" link to send yourself an email with next steps.

      Delete
  5. Here is a nice video of how it works and what to do if you loose your YubiKey

    https://www.youtube.com/watch?feature=player_embedded&v=4JXzB-mHy2Y

    ReplyDelete
  6. Can we have SMS based Multifactor Authentication please?

    Also, allowing two types of Multifactor Authentications would save me some worry. Like if I loose my laptop and phone(with Google Authenticator) I am screwed, no? I will not be able to log into LastPass using the new laptop no?

    ReplyDelete
  7. While I am a huge fan of multifactor authentication, this statement is not true:

    "By enabling a mutifactor authentication device, you are by effect enabling it for each of the sites in your vault as well."

    If your password for a particular site were stolen (through phishing, entering on a compromised machine, whatever), the hacker would then be able to access the target site, even if you are using multifactor authentication for your Lastpass account. All websites (or, at least all websites where access is "important") should implement multifactor authentication. We can't absolve them of that shortcoming, even if we are diligent with our master password account.

    ReplyDelete
  8. Why do you promote fingerprint readers they are a terrible authentication method. A fingerprint is a image based password you cannot change and you leave a copy on everything you touch. It is also not impossible to emulate a fingerprint reader in software to run from image files of fingerprints, cutting fingers off is not necessary to steal info.

    ReplyDelete
  9. How does LastPass remember the "location" and know that it is safe?

    ReplyDelete
    Replies
    1. We generate a unique id and store it in local protected storage. You can then view all trusted locations under your account settings on lastpass.com, and remove them from the trusted list as necessary (should your laptop get stolen, for example).

      Delete
  10. One reason I like LastPass is for faster logins. That's why I'm not gung ho of multifactor authentication, because it slows things down. One of my banks has started that; if you've cleared your cookies, it insists on sending you a code first before you can login. This makes things very difficult, especially for Quicken to download my transactions. I prefer to have a strong Lastpass master password. While it is remembered on my Droid, work computer, and home computer, if I lost any of these, the first thing I would do is immediately change that password.

    ReplyDelete
  11. if I want to use the Google Authenticator app, to secure LastPass, to I have to setup my Google login access to use it too?

    i.e. can I use it *only* for LastPass, or do I need to change my Google account setup for it too?

    thanks...

    ReplyDelete
    Replies
    1. Yes, Google Authenticator is set up separately for each account, so you can set it up to use only for LastPass without activating it on your Google account. Each configured account will be shown in a separate entry in the Google Authenticator app, so you could even use it for multiple LastPass accounts, e.g. work and personal, which would each require a different code.

      Delete
  12. There is "trusted computers" tab in multifactor authentication settings, how does it work? I mean, how does lastpass identifies computer: by name, ip-address or something else?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. We generate a unique id and save it in local protected storage.

      Delete
  13. Is it possible to have multiple two-factor schemes active at once, e.g. both Google authenticator & Yubikey, and choose which to use at login time?

    Thanks

    ReplyDelete
    Replies
    1. Yes, this is now available in our latest prebuild (https://lastpass.com/dlpre) - if you try with any problems please submit a report to the team directly: https://lastpass.com/supportticket.php

      Delete
    2. This comment has been removed by the author.

      Delete
    3. This comment has been removed by the author.

      Delete
    4. LP Support confirm that although you can now have both Yubikey and GA active at once - in Account Settings - you do not get to choose which to use at login.

      It default to Yubikey on the desktop, and GA on a mobile device. That makes sense to me.

      thanks again.

      Delete
    5. Break down of orderof use when multiple mulifactors auth methods enabled - https://lastpass.com/support.php?cmd=showfaq&id=5686

      Delete
  14. Please explain what happens if my laptop is stolen and is classed as a trusted device and therefore does not ask for password. So someone can easily go to all my account as well as email. Then they can reset my own password so I can't disable the laptop. I am then locked out of my own lastpass.

    ReplyDelete
    Replies
    1. There are a number of features we would recommend using to help mitigate this risk. First, please enable the autologoff options in the LastPass Icon > Preferences, on all browsers on your computers. This ensures LastPass will autologoff when your browser goes idle or is closed. You can also "remove" trusted devices at any time from the LastPass Icon > My LastPass Vault > Settings > Trusted Devices. That way, if a laptop is stolen, you can remove the trusted device, and kill your session, and then they won't have immediate access to your account. Note too that even if a device is trusted, if you're logged out they'll still need to enter the username and master password - unless you've checked "remember password" or have it written on your laptop somewhere, they shouldn't be able to get to it. If we can be of further help, please reach out to our team: https://lastpass.com/supportticket.php

      Delete